User Accessed Suspicious URL Categories

SymantecProxySG
| mv-expand cs_categories
| where cs_categories has_any ("Suspicious","phishing", "hacking")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)

name: User Accessed Suspicious URL Categories
id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90
description: |
    'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: cs_userdn
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: c_ip
    identifier: Address
  entityType: IP
version: 1.0.5
triggerOperator: gt
query: |
  SymantecProxySG
  | mv-expand cs_categories
  | where cs_categories has_any ("Suspicious","phishing", "hacking")
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)  
tactics:
- InitialAccess
- CommandAndControl
kind: Scheduled
queryFrequency: 1h
severity: Medium
queryPeriod: 1h
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
relevantTechniques:
- T1566
- T1071